b'     Management Issues\n\n             in a\n\n   \xe2\x80\x9cPaperless\xe2\x80\x9d Environment\n\n\n            June 1999\n\n\n\n\n     Inspection Report\n          No. 99-06-01\n\n\n\n\n    Office of Inspector General\nU.S. Small Business Administration\n\x0c                                       June 30, 1999\n\n\nTO:            Kristine Marcy\n               Chief Operating Officer\n\n               Lawrence Barrett\n               Chief Information Officer\n\n               Michael Schattman\n               General Counsel\n\nFROM:          Tim Cross\n               Assistant Inspector General\n                 for Inspection and Evaluation\n\nSUBJECT:       Inspection of Management Issues in a \xe2\x80\x9cPaperless\xe2\x80\x9d Environment\n\n        We are pleased to submit our inspection report on Management Issues in a\n\xe2\x80\x9cPaperless\xe2\x80\x9d Environment. The Office of Inspector General (OIG) initiated this\ninspection as a proactive effort to help SBA management successfully make the transition\nto such an environment and to identify potential security, legal, and organizational\nproblems.\n\n        To gain the greatest benefits from the electronic exchange of information, SBA\nwill need to allow at least limited access by outside partners to its systems. A major\nconcern is how to balance this access with security for the systems and the sensitive\ninformation they may contain. If current trends continue, SBA will probably conduct\nmuch of its business using a Public Key Infrastructure (PKI) that employs digital\nsignatures and identifiers called digital certificates to prove a sender\xe2\x80\x99s identity and a\nmessage\xe2\x80\x99s integrity. Implementing PKI presents challenges as well as opportunities.\n\n        To avoid excessive expenditures on protecting low-value data, the OIG\nrecommends that the Chief Operating Officer require that each program, in consultation\nwith the Office of the Chief Information Officer (OCIO) and the Office of General\nCounsel (OGC), identify the types of data requiring the highest level of security and\nprivacy safeguards. To protect SBA\xe2\x80\x99s interests amid PKI uncertainties, we also\nrecommend that OGC, in consultation with OCIO, develop contracts for use with the\ntrusted third parties providing PKI services. The contracts would identify the parties\xe2\x80\x99\nresponsibilities, liability, and recourse.\n\x0c        An electronic environment raises significant concerns about privacy and the\npotential exposure of confidential information. To reduce such exposure, the OIG\nrecommends that OCIO, in consultation with OGC, limit the amount of information in\nthe digital certificates used to verify the authenticity of an electronic document. To help\nminimize internal security breaches, we recommend that OCIO and OGC jointly develop\na notice for periodic display on computer screens to remind SBA employees and\ncontractors of their information security responsibilities, the relevant penalties, and the\nfact that using Agency information systems constitutes acceptance of those\nresponsibilities and penalties as well as consent to law enforcement searches.\n\n        A paperless environment involves a number of important legal issues, including\nthe authentication of documents and transactions, the admissibility of digital signature\nevidence, and the storage of electronic information. Until uniform standards are\ndeveloped, parties to electronic transactions will have to rely on contracts to spell out\ntheir legal responsibilities. The OIG recommends that OGC, in consultation with\nprogram managers and OCIO, ensure that contractual agreements with resource partners\nand small businesses specifically define what constitutes a valid electronic identity and\nsignature for each party, hold each party responsible for the accuracy of the electronic\ninformation it transmits, and define each party\xe2\x80\x99s recourse.\n\n        Finally, based on other organizations\xe2\x80\x99 experiences, it would be to SBA\xe2\x80\x99s benefit\nto (1) decide which work processes should be paperless based on solid business analysis,\nrather than simply on the availability of advanced technology; (2) strive to make work\nprocesses and electronic systems operate seamlessly; and (3) recognize that human\nfactors are at least as important as technology in implementing paperless solutions. The\nOIG recommends that a top-level official with authority over SBA programs, such as the\nChief Operating Officer, lead a central coordination group of managers, staff, and\ntechnical experts to identify any major Agency work processes that could be eliminated\nor performed more efficiently by outside parties, identify processes that are candidates\nfor electronic initiatives, and refer the electronic initiatives approved by the group to the\nBusiness Technology Investment Council for detailed information policy and cost\nevaluation.\n\n       OCIO and OGC concurred with the report\xe2\x80\x99s recommendations, and the Chief\nOperating Officer indicated her support for our findings.\n\n       The OIG inspection team appreciates the excellent cooperation received from\nSBA staff, other Federal officials, and representatives from non-governmental\norganizations. We would welcome the opportunity to brief you on this inspection at your\nconvenience.\n\n\nAttachment\n\x0c                          TABLE OF CONTENTS\n\n                                                 Page\n\n\nEXECUTIVE SUMMARY                                  iii\n\n\nBACKGROUND                                          1\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                  5\n\n\nSECURITY ISSUES AFFECTING SBA IN A PAPERLESS\n\nENVIRONMENT                                         7\n\n\nLEGAL ISSUES AFFECTING SBA                        17\n\n\nORGANIZATIONAL ISSUES AFFECTING SBA                23\n\n\nAPPENDICES\n\n\n     A    Chief Operating Officer\xe2\x80\x99s Comments      31\n\n\n     B    Chief Information Officer\xe2\x80\x99s Comments     33\n\n\n     C    Office of General Counsel\xe2\x80\x99s Comments    35\n\n\n     D    Contributors to this Report              37\n\n\n\n\n\n                                        i\n\x0c                    ABBREVIATIONS\n\n\nABA      American Bankers Association\nACES     Access Certificates for Electronic Services\nATM      Automated Teller Machine\nCA       Certification (or Certificate) Authority\nDoD      Department of Defense\nFOIA     Freedom of Information Act\nFY       Fiscal Year\nGAO      General Accounting Office\nGRS      General Records Schedule\nGSA      General Services Administration\nIRS      Internal Revenue Service\nLowDoc   Low Documentation Loan Program\nMMS      Minerals Management Service\nNARA     National Archives and Records Administration\nNASA     National Aeronautics and Space Administration\nOCIO     Office of the Chief Information Officer\nOGC      Office of General Counsel\nOIG      Office of Inspector General\nPCIE     President\xe2\x80\x99s Council on Integrity and Efficiency\nPCLP     Premier Certified Lender Program\nPEBES    Personal Earnings and Benefit Estimate Statement\nPKI      Public Key Infrastructure\nSBA      Small Business Administration\nSBIR     Small Business Innovation Research\nSOP      Standard Operating Procedure\nSSA      Social Security Administration\nUSC      United States Code\n\n\n\n\n                             ii\n\x0c                              EXECUTIVE SUMMARY\n\n\n\nTHE PAPERLESS OFFICE\n\nAs the world\xe2\x80\x99s banking and financial services institutions undergo unparalleled\ntechnological changes, the U.S. Small Business Administration (SBA) and other\norganizations\xe2\x80\x94in both the public and private sectors\xe2\x80\x94are gradually moving toward\n\xe2\x80\x9cpaperless\xe2\x80\x9d methods of conducting business. Much of this movement is spurred by the\norganizations\xe2\x80\x99 need to streamline their operations while sustaining high-quality levels of\nservice despite reductions in staffing and other resources. For our purposes, an office is\ndefined as having a paperless environment if its work processes are essentially electronic,\nwith minimal use of paper documents and reduced need for human handling of routine\ntasks. The purpose is to eliminate the inefficiencies that a paper-based and relatively\nlabor-intensive environment causes. Nonetheless, \xe2\x80\x9cgoing paperless\xe2\x80\x9d can have serious\nsecurity and legal ramifications and significantly affect both an organization\xe2\x80\x99s work\nprocesses and its internal culture.\n\nThe Office of Inspector General (OIG) initiated this inspection as a proactive effort to\nidentify potential problems and to help SBA management successfully make the\ntransition to a paperless environment.\n\nSBA\xe2\x80\x99s Approach to a Paperless Environment\n\nSBA plans to become a \xe2\x80\x9c21st Century Leading-Edge Institution\xe2\x80\x9d through centralizing\nwork processes, modernizing technology, and outsourcing portions of programs.\nAccording to Agency officials, the sizable cuts projected in staffing will compel SBA to\nmake greater use of technology and serve more as a portfolio manager. The Agency will\nlikely perform more oversight functions, such as monitoring preferred lenders and\noutsourced services, and act as a facilitator to match small businesses with resources.\n\nIf current trends continue, SBA will probably conduct much of its business through a\nPublic Key Infrastructure (PKI), which employs digital signatures to prove a sender\xe2\x80\x99s\nidentity and a message\xe2\x80\x99s integrity. To ensure the digital signature\xe2\x80\x99s uniqueness, the\nsender and recipient each have a public (published) key and a private (secret) key. For\nthe keys to work, PKI requires a trusted third party\xe2\x80\x94known as a certification, or\ncertificate, authority (CA)\xe2\x80\x94to vouch for the sender\xe2\x80\x99s identity. The CA issues a digitally\nsigned message\xe2\x80\x94called a digital certificate\xe2\x80\x94binding the sender\xe2\x80\x99s identity to his/her\npublic key. This certificate resembles a credit card or driver\xe2\x80\x99s license\xe2\x80\x94an item issued by\nan organization having information about the user and able to verify the item\xe2\x80\x99s\nauthenticity. Nonetheless, PKI raises accountability, privacy, and implementation issues.\n\nSECURITY ISSUES\n\nTo gain the greatest benefits from the electronic exchange of information, agencies such\n\n\n                                            iii\n\x0cas SBA must take the risk of allowing at least limited access to their systems. The\nproblem is how to balance access with security, without wasting limited financial and\nhuman resources.\n\nAccording to computer security experts in both the private and public sectors,\norganizations attempting to secure their electronic systems should adhere to several basic\nprinciples. These include:\n\n       \xe2\x80\xa2\t Senior management needs to recognize information resources as essential\n          organizational assets.\n\n       \xe2\x80\xa2\t The organization should identify the key information assets that require the\n          greatest protection.\n\n       \xe2\x80\xa2\t No electronic security solution is foolproof.\n\n       \xe2\x80\xa2\t The greatest threats are internal, e.g., employees who are disgruntled or\n          simply inattentive to security procedures.\n\n       \xe2\x80\xa2\t Because every security control has a cost, the decision to impose a new\n          control should be based on a careful business analysis of the expected\n          benefits.\n\nThe most important lesson from security experts is that if an organization ignores the\nhuman element, even the most sophisticated encryption, firewalls, and PKI protections\nmay be rendered useless. Also, according to both private and public sector officials,\nestablishing and enforcing appropriate policies and procedures are by far the most\ndifficult aspects of enhancing computer security.\n\nBased on the security issues discussed in this report, the OIG recommends that:\n\n1) The Chief Operating Officer require that each program, in consultation with the\nOffice of the Chief Information Officer (OCIO) and the Office of General Counsel\n(OGC), identify the types of data requiring the highest level of security and privacy\nsafeguards.\n\n2) The OGC, in consultation with the OCIO, develop contracts applicable to any\ncertification authority or registration authority the Agency might use in a Public\nKey Infrastructure, with such contracts identifying-\xc2\xad\n\n   \xe2\x80\xa2\t Each certification authority\xe2\x80\x99s and/or registration authority\xe2\x80\x99s transaction and\n      security responsibilities and liability for failure to complete an electronic\n      transaction, and\n\n   \xe2\x80\xa2\t Each party\xe2\x80\x99s recourse if it performs a transaction based on the other\xe2\x80\x99s false\n\n\n\n                                            iv\n\x0c        or inaccurate information.\n\n3) The OCIO, in consultation with the OGC, limit future digital certificates to the\nminimum information necessary to complete Agency electronic transactions.\n\n4) The OCIO and the OGC jointly develop a concise notice for periodic display on\ncomputer screens to remind Agency employees and contractors of their basic\ninformation security responsibilities, the penalties for failure to carry out those\nresponsibilities, and the fact that using Agency information systems constitutes\nacceptance of those responsibilities and penalties as well as consent to searches by\nlaw enforcement organizations.\n\nLEGAL ISSUES\n\nAny organization planning to establish a paperless office environment should first\naddress a number of legal issues, including the authentication of documents and\ntransactions, the possession of a documentable record trail, the admissibility of evidence\nregarding digital signatures, and the storage of electronic information.\n\nCurrent Status of Relevant Laws and Regulations\n\nThe Government Paperwork Elimination Act of 1998 requires Federal agencies to\nrecognize electronic signatures and make Federal forms available online during the five-\nyear period beginning in 1998. The public will be able to use the Internet to access\nFederal forms and electronically submit them to Federal agencies.\n\nDespite this legislation, the legal authority for disposition of certain types of electronic\nrecords is in a state of flux. In November 1998, the National Archives and Records\nAdministration (NARA) generally endorsed a standard for electronic records\nmanagement developed by the Department of Defense (DoD). This standard specifies\nthat records management software perform the following functions:\n\n    -   Assign a unique, computer-generated identifier to each record.\n    -   Treat electronic mail messages that have been filed as records, including\n        attachments, as any other record.\n    -   Provide for viewing, saving, and printing lists of records (regardless of media)\n        based on record profiles.\n    -   Identify records that can be sent to a repository for storage.\n    -   Notify authorized individuals when a record is eligible for destruction and destroy\n        it after their approval.1\n\n\n\n\n1\n Department of Defense, \xe2\x80\x9cDesign Criteria Standard for Electronic Records Management Software\nApplications (DoD-5015.2-STD),\xe2\x80\x9d November 1997, pp. 7-17.\n\n\n                                                 v\n\x0cUnresolved Legal Issues Facing SBA\n\nOne reason that many organizations have been cautious in embracing electronic\ncommerce is that they are not yet satisfied that electronic transactions will be treated as\nlegally authentic and binding in court. This is likely to continue until laws and\nregulations catch up with the technology and become case-tested in the judicial system.\nOther unresolved legal issues involve conflicts between investigations and privacy,\nbalancing security with access to information, the type of identification needed to\ndetermine whether the parties to an electronic transaction are legitimate, and storage of\nelectronic records.\n\nNecessity of Contractual Protections for SBA\xe2\x80\x99s Use of Electronic Commerce\n\nUntil uniform standards and rules are developed to cover electronic transactions, parties\nto such transactions will have to rely on the language in a contract for an understanding\nof the legal responsibilities governing their respective actions. At a minimum, a contract\nshould identify (a) a means for authenticating the identity of the contracting parties; (b) a\nlegally recognized form of signature; and (c) secure, reliable commercial records.2\n\nWith reference to these legal issues, the OIG recommends that:\n\n5) The Office of General Counsel, in consultation with program managers and the\nOffice of the Chief Information Officer, ensure that contractual agreements and\nrelated modifications with resource partners and small businesses using electronic\nmeans to conduct business with SBA-\xc2\xad\n\n    \xe2\x80\xa2\t Define what constitutes a valid electronic identity and signature for each\n       party.\n    \xe2\x80\xa2\t Hold each party responsible for the accuracy of the electronic information it\n       transmits.\n    \xe2\x80\xa2\t Define each party\xe2\x80\x99s recourse if the other fails to carry out any part of the\n       agreement.\n\n\n\n\n2\n Sutin, Alan. Roadblocks Stall Electronic Commerce. New York Law Journal, July 13, 1998,\nwww.nylj.com.\n\n\n\n\n                                                 vi\n\x0cORGANIZATIONAL ISSUES\n\n\nThe experiences of other organizations reveal several important lessons-learned that may\nbenefit SBA as it moves toward a paperless office environment:\n\n   1.\t Decide which work processes should be paperless based on solid business\n       analysis, rather than simply on the availability of advanced technology.\n\n   2.\t Strive to have work processes and electronic systems operate seamlessly by\n       integrating databases, hardware, and software programs that currently operate\n       independently of one another.\n\n   3.\t Recognize that human factors are at least as important as technology in\n       implementing paperless business solutions.\n\nBusiness Analysis\n\nAn organization needs to ensure that implementing a paperless office environment makes\ngood business sense. This means first examining business functions to determine\n(1) whether they need to be performed in the first place and (2) whether any changes to\nimprove business operations lend themselves to technological applications.\n\nAny application of paperless office technology should be preceded by a strategic\nassessment of how the application supports the organization\xe2\x80\x99s plans for product and\nservice delivery. Decision-makers need to consider the ways people work and interact\nand how underlying work processes could be influenced positively by going paperless. A\ngood example can be found in SBA\xe2\x80\x99s Office of Capital Access, which has undertaken the\nreengineering of work processes as part of its loan modernization effort.\n\nThere was a consensus among the many SBA officials we interviewed that a working\ngroup of Agency managers should be appointed by the Administrator to make the\nnecessary assessments and to oversee prospective conversions to a paperless\nenvironment. Such a central coordination group would ensure that obsolete work\nprocesses are not automated, that electronic initiatives are compatible inside and outside\nthe Agency, and that no attempts to create electronic initiatives go forward without giving\nfull consideration to their effect on the rest of SBA and its partners.\n\nThe paperless proposals that passed this screening would then undergo the detailed policy\nand cost evaluations performed by SBA\xe2\x80\x99s existing Business Technology Investment\nCouncil (BTIC). BTIC thus could be assured that management had considered work\nprocesses before trying to buy technology, and the Agency could avoid fragmented\nimplementation of electronic initiatives.\n\nConversion to a paperless environment can be expensive, with benefits difficult to\nquantify, particularly if an organization attempts to handle everything itself. However, a\n\n\n                                            vii\n\x0cmajor technology firm estimates that it could establish a digital signature environment at\nSBA\xe2\x80\x94to be used initially with preferred lenders\xe2\x80\x94at a cost of between $75,000 and\n$100,000. The annual ongoing cost is estimated at $30,000. In addition, SBA would\nhave internal expenses such as validating employee and resource partner identities,\nemployee training, and possible enhanced security. Offsetting the costs are potential\xe2\x80\x94\nand difficult to measure\xe2\x80\x94savings in paperwork processing, reduced staff time, and\nconsolidated processes.\n\nWork Processes and Information Systems\n\nAn important need for organizations making the transition to a paperless environment is\nthe smooth integration of their disparate single-purpose databases and their hardware and\nsoftware platforms. The multiple databases often found in large organizations need to be\nintegrated to ensure that personnel have access to data that needs to be shared.\nOtherwise, staff may be forced to rely on proprietary \xe2\x80\x9cstovepipe\xe2\x80\x9d databases that separate\nproducts or programs from each other, create unnecessary bottlenecks, and make data\nmanagement more complex and costly. An example of an initiative supporting\nintegration is SBA\xe2\x80\x99s Digital Signature Technology Policy and Oversight Committee,\nwhich seeks to develop a common electronic signature architecture for the entire Agency.\n\nHuman Factors\n\nPerhaps the most important organizational issue is the recognition of human factors that,\nif left unattended, can bring a halt to the most elegant or technologically sophisticated\nsolutions. Our research found that while technological innovations continue to overcome\ntechnical systems problems, organizations often underestimate the cultural and human\nobstacles to success in the paperless office. Moreover, for paperless office initiatives to\nbe embraced by any organization, they must be driven by the managers and users, rather\nthan the technical staff.\n\nWhat specific steps should an organization follow to become paperless? One of the most\nambitious electronic initiatives in the Federal government is the DoD effort to implement\na paperless contracting process. The blueprint for accomplishing this calls for-\xc2\xad\n\n    \xe2\x80\xa2\t Establishing a senior-level steering group,\n    \xe2\x80\xa2\t Creating incentives for people to exchange information electronically,\n    \xe2\x80\xa2\t Improving coordination and communication across functional areas,\n    \xe2\x80\xa2\t Reviewing and eliminating policies and procedures requiring that information be\n       stored on paper, and\n    \xe2\x80\xa2\t Reviewing statutory requirements for proposed legislative relief from paper\n       creation.3\n\n\n\n\n3\n Department of Defense, \xe2\x80\x9cBlue Print for Paper-Free Contracting Process (Revision A),\xe2\x80\x9d\nSeptember 4, 1997, p. 18.\n\n\n                                                   viii\n\x0cBased on the organizational issues we have identified, the OIG recommends that:\n\n6) A top-level SBA official with authority over SBA programs, such as the Chief\nOperating Officer, lead a central coordination group of managers, staff, and\ntechnical experts to-\xc2\xad\n\n   \xe2\x80\xa2\t Identify any major Agency work processes that should be eliminated or\n      performed by outside parties.\n   \xe2\x80\xa2\t Identify processes that are candidates for electronic initiatives.\n   \xe2\x80\xa2\t Refer the electronic initiatives approved by the group to the Business\n      Technology Investment Council for detailed policy and cost evaluation.\n\n\nSBA COMMENTS\n\nThe Office of Chief Information Officer and the Office of General Counsel concurred\nwith the report\xe2\x80\x99s recommendations. In addition, the Chief Operating Officer indicated\nher support for the report\xe2\x80\x99s findings.\n\n\n\n\n                                           ix\n\x0c                                          BACKGROUND\n\n\n\nThe Paperless Office\n\nThe world\xe2\x80\x99s banking and financial services institutions are undergoing technological\nchanges unparalleled in their history. According to a leading bank that relies on state-of\xc2\xad\nthe-art technology, much of its business in the next two decades will come from\ncustomers it does not have today, involve products and services that do not exist today,\nand be delivered in completely new ways. Likewise, SBA and other organizations\xe2\x80\x94in\nboth the public and private sectors\xe2\x80\x94are gradually moving toward \xe2\x80\x9cpaperless\xe2\x80\x9d methods of\nconducting business. Much of this movement is spurred by the organizations\xe2\x80\x99 need to\nstreamline their operations while sustaining high-quality levels of service despite\nreductions in staffing and other resources. According to Agency officials, converting to a\npaperless environment will save SBA money, labor, and time, while improving customer\nsatisfaction and providing new and enhanced services.\n\nFor our purposes, an office is defined as having a paperless environment if its work\nprocesses are essentially electronic, with minimal required use of paper documents and\nreduced need for human handling of routine tasks. The purpose is to eliminate the\ninefficiencies that a paper-based, relatively labor-intensive environment causes, such as\nerrors from duplicative data entry, and to automate routine functions if the benefits of\ndoing so outweigh the costs. The benefits of automation can also occur through the\npaperless exchange of business documents among organizations, i.e., electronic\ncommerce. Thus, in a paperless office, most but not all information would be transmitted\nand stored electronically. Nonetheless, \xe2\x80\x9cgoing paperless\xe2\x80\x9d requires more than simply\ninstalling new computers and software. As will be shown, it can have serious security\nand legal ramifications and significantly affect both an organization\xe2\x80\x99s work processes and\nits internal culture.\n\nHow Electronic Technology Is Evolving\n\nThe technological world in which SBA operates is increasingly open. Users have greater\naccess to one another, particularly through the international system of computer networks\nknown as the Internet.4 This is due in part to greater interoperability, i.e., the ability of\ndiverse electronic systems to communicate with each other through any network.\nDeclining costs also play a major role in widening access, as evidenced by the ability of\nsmall businesses to advertise to the world via the Internet at a lower cost than through\nlocal newspapers, television, or other media. For SBA, this means cost-effective\nopportunities for reaching small businesses and working with resource partners.\n\nElectronic technology continues to change the way people accomplish their work. It has\ndiminished the need for intermediaries and physical assets, while also erasing\n\n4\n The Internet access system that allows millions of computers to connect to thousands of servers is the\nWorld Wide Web.\n\n\n                                                     1\n\n\x0cgeographical boundaries, particularly in the financial marketplace. At the same time,\nprocesses that add no value to the organization can be eliminated or shifted to the\ncustomer. For example, one of the world\xe2\x80\x99s leading management consulting firms\nestimates that a customer using a teller costs a bank $1.07, while an automated teller\nmachine (ATM) transaction costs $0.27. If that customer uses the Internet, the cost is\n$0.01.5 Clearly, these are powerful incentives for organizations to have users do the\nwork themselves\xe2\x80\x94electronically.\n\nUnfortunately, progress comes at a price. Greater dependence on electronic systems can\nmean greater vulnerability to \xe2\x80\x9ccybercrime\xe2\x80\x9d or technical breakdown, particularly if the\nsystems are poorly implemented. As will later be discussed, the very strength of\nnetworks\xe2\x80\x94their interconnectedness\xe2\x80\x94is also their greatest weakness.\n\nPrivate Sector Usage of Paperless Initiatives\n\nAccording to officials in several large companies, the greatest advantage of going\npaperless is the savings in money and time, particularly as new uses for advanced\ntechnology appear.       Some envision prospective borrowers applying for loans\nelectronically at public kiosks, which would replace bank branches over the next 20\nyears. Although the private sector is eager for the cost savings of a paperless\nenvironment, converting to an electronic environment is not always appropriate. For\nexample, officials of two major insurance companies stressed that going paperless should\nnot be viewed as a goal itself, but only as a tool to support organizational objectives, e.g.,\nincreasing revenues, reducing staffing and storage costs, accessing documents in a timely\nmanner, reducing errors, and improving goods or services. In other words, electronic\nconversion requires a compelling business or customer service reason to be cost-\neffective.\n\nIn some cases, the costs of implementing a paperless environment, e.g., training and time\naway from regular work, may exceed the benefits. Private sector managers we\ninterviewed also noted that a cost-benefit analysis can be difficult to perform because the\nconversion to a paperless environment is expensive and the benefits are hard to quantify.\n\nSBA\xe2\x80\x99s Approach to a Paperless Environment\n\nSBA plans to become a \xe2\x80\x9c21st Century Leading-Edge Institution\xe2\x80\x9d through centralizing\nwork processes, modernizing technology, and outsourcing portions of programs,\nincluding a major part of the Office of Disaster Assistance\xe2\x80\x99s loan portfolio. Advanced\ntechnology will enable the Agency and its resource partners to continue moving toward\nelectronic lending from origination through servicing, as in the SBAExpress program.\n\nAccording to SBA officials, the sizable cuts projected in staffing will compel the Agency\nto make greater use of technology and serve more as a portfolio manager in the future.\nThe Agency will likely perform more oversight functions, such as monitoring preferred\nlenders and outsourced services, and act as a facilitator to match small businesses with\n5\n    Andersen Consulting. What\xe2\x80\x99s the Value of eCommerce? www.ac.com/showcase/ecommerce/ecom.\n\n\n                                                2\n\n\x0cresources. Also, there will be more coordination between SBA and other agencies to\nensure that small businesses have access to as many resources as possible.\n\nSBA believes that to continue its commitment to bring the Agency\xe2\x80\x99s programs, products,\nand services to a wider range of small businesses in an efficient and effective manner, it\nmust take full advantage of emerging technologies. This includes using Internet\ntechnology, video conferencing, and long-distance learning to ensure the broadest\npossible access to SBA\xe2\x80\x99s programs and services. At the same time, SBA officials caution\nthat electronic initiatives should be viewed as long-term efforts. In the short term, the\nAgency intends to use both paper-based and electronic methods, particularly for resource\npartners and small businesses whose operations remain largely dependent on paper.\n\nIn order to update its information technology systems for the transition to a paperless\noffice, SBA is focusing on modernizing the following basic components:\n\n        -   Business lending programs,\n        -   Disaster assistance lending program,\n        -   Accounting functions,\n        -   Non-lending programs (Minority Enterprise Development, Government\n            Contracting, and Surety Guarantees),\n        -   Access to information (decision support, electronic information system, ad\n            hoc query), and\n        -   Productivity enhancement (workflow, Intranet).6\n\nA current initiative is to use electronic commerce technology to transmit funds and data\nbetween SBA\xe2\x80\x99s resource partners and the Agency. SBA is working with the Department\nof the Treasury and others to use the Agency as a test site to develop this technology for\nuse throughout the Government.\n\nAccording to SBA officials, the payroll system is likely to become electronic within five\nyears, and billing will be done without human intervention except when there is a\nproblem. Moreover, there have been extensive discussions within the Office of Capital\nAccess concerning the development of paperless office initiatives. For example, the Low\nDocumentation (LowDoc) loan program eventually could become entirely electronic.\nAgency officials believe that ultimately 75 percent of loan activity in the Section 7(a)\nguaranteed loan program will be paperless. They also note that, within the Section 504\nCertified Development Companies program, the Premier Certified Lender Program\n(PCLP) ultimately will be electronic. According to one official, the non-PCLP lenders\nalso want to go paperless.\n\nThe Agency also has taken steps to implement paperless office initiatives in other\nprograms. The disaster assistance program is creating a paperless application and loan\nprocess for home loans, and the micro-lending program is developing ways to transfer\nelectronic information to its intermediaries. In the Office of International Trade, all\n\n6\n SBA\xe2\x80\x99s Five-Year Revised Strategic Plan (FY1998-FY2002), \xe2\x80\x9cCreating Opportunities for Small Business\nSuccess (Draft),\xe2\x80\x9d June 9, 1998, p. 63.\n\n\n                                                 3\n\n\x0creporting will eventually be electronic. In the Office of Surety Guarantees, companies in\nthe Preferred Surety Bond program submit their bond information electronically. Finally,\nin the Investment Division, funding for Small Business Investment Companies is handled\nelectronically, and the reporting function combines electronic and non-electronic means.\n\nDespite such efforts, SBA officials acknowledge that internal administrative processes\xe2\x80\x94\nsuch as handling travel documents and requisitions for supplies and services\xe2\x80\x94remain\nlargely paper-based. According to these officials, efforts to go entirely paperless have\nbeen stifled by uncertainties about electronic signatures and incompatibility among\ndifferent information systems. Thus, many documents continue to be printed, approved,\nand processed manually; some officials advocate greater use of the Agency\xe2\x80\x99s Intranet as a\npossible solution.\n\nSBA and the Emerging Public Key Infrastructure\n\nIf current trends continue, SBA will probably conduct much of its business through a\nPublic Key Infrastructure (PKI). As defined by a multi-agency steering committee\npromoting its use in the Federal Government, PKI is \xe2\x80\x9ca combination of products,\nservices, facilities, policies, procedures, agreements, and people that provides for and\nsustains secure interactions on open networks such as the Internet.\xe2\x80\x9d7 A more detailed\nexplanation of PKI is found in the section on security issues.\n\nIf properly and economically implemented, PKI is important to SBA because it addresses\nthe issue of public trust in electronic commerce. Despite their growing popularity,\nelectronic transactions do not yet enjoy the same public trust as paper-based transactions.\nBy contrast, a written signature on a paper document is usually considered valid unless\nlater proven otherwise.\n\nIn an electronic transaction, the parties need to know that messages are valid\n(authentication) and that data remains unchanged from its source (data integrity). The\nsender needs to be certain that the data has been delivered and the recipient needs\nconfirmation of the sender\xe2\x80\x99s identity (non-repudiation). Finally, the authorized parties\nneed to be sure that the information can be read only by them (confidentiality). Without\nsuch assurances, public acceptance of electronic commerce may be limited, thus\nminimizing potential efficiencies and cost savings for SBA and its partner organizations.\n\n\n\n\n7\n    Federal Public Key Infrastructure Steering Committee, \xe2\x80\x9cAccess With Trust,\xe2\x80\x9d September 1998, p. 5.\n\n\n                                                     4\n\n\x0c                  OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\n\nOver the next few years, SBA will make greater use of electronic communications and\nwork methods, while relying less on paper-based processes. Despite the enormous\nefficiencies promised by a paperless environment, the Agency faces numerous security,\nlegal, and work process challenges. Accordingly, the Office of Inspector General (OIG)\ninitiated this inspection as a proactive effort to identify potential problems and to help\nSBA management successfully make the transition to a paperless environment.\n\nThe inspection team conducted extensive library and Internet-based research of private,\npublic, and nonprofit sector organizations\xe2\x80\x99 efforts to establish paperless offices. Team\nmembers also attended workshops and conferences on banking security, electronic\ngovernment, and defending cyberspace, as well as a data security roundtable sponsored\nby the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE). The team interviewed and\nobtained documentation from key Federal officials at the Social Security Administration,\nthe Department of the Treasury, the Office of Management and Budget, the Federal\nDeposit Insurance Corporation OIG, the Department of Agriculture OIG, and the\nDepartment of Justice.\n\nBecause some companies in the private sector appear to be taking the lead in moving\ntoward a paperless environment, team members gathered considerable information about\nthat sector\xe2\x80\x99s experiences. The banking and insurance industries in particular were chosen\nfor Internet research and interviews because parts of their business operations\xe2\x80\x94such as\naccepting applications and providing for customer credit needs and guarantees\xe2\x80\x94are\nespecially relevant to SBA operations. Nonetheless, other industries also proved\ninstructive in terms of the changes that a paperless environment brings to an organization.\nTo encourage frank discussion of sensitive issues, the OIG agreed not to identify the\ncompanies interviewed by name. Finally, to obtain perspectives from within the Agency,\nteam members interviewed SBA officials in the offices of Administration, Capital\nAccess, Disaster Assistance, General Counsel, the Chief Information Officer, and the\nChief Financial Officer.\n\nAs the data were gathered, it became evident that the issues surrounding the\nimplementation of a paperless office logically fell into three functional areas: security,\nlegal, and organizational. Hence, this report focuses primarily on these three areas.\n\nAll work on this inspection was conducted between April 1998 and January 1999 in\naccordance with the Quality Standards for Inspections issued in March 1993 by the\nPCIE.\n\n\n\n\n                                            5\n\n\x0c6\n\n\x0c    SECURITY ISSUES AFFECTING SBA IN A PAPERLESS ENVIRONMENT\n\n\n            To protect everything is to protect nothing. \xe2\x80\x93Napoleon Bonaparte\n\nThe Basic Problem\n\nIf resource and other constraints made prioritizing security needs essential in Napoleon\xe2\x80\x99s\ntime, then such limitations are particularly relevant today, as the number of electronic\nlinkages\xe2\x80\x94and potential security breaches\xe2\x80\x94rapidly increase. According to the U.S.\nGeneral Accounting Office (GAO), \xe2\x80\x9cthe government\xe2\x80\x99s increasing reliance on\ninterconnected systems and electronic data also increases the risks of fraud, inappropriate\ndisclosure of sensitive data, and disruption of critical operations and services.\xe2\x80\x9d8\nHowever, to gain the greatest benefits from the electronic exchange of information,\nagencies such as SBA must take the risk of allowing at least limited access to their\nsystems. The problem is how to balance access with security, without wasting limited\nfinancial and human resources.\n\nSecurity Principles\n\nAccording to computer security experts in both the private and public sectors,\norganizations attempting to secure their electronic systems should adhere to the following\nbasic principles:\n\n        \xe2\x80\xa2\t Senior management needs to recognize information resources as essential\n           organizational assets.\n\n        \xe2\x80\xa2\t The organization should identify the key information assets that require the\n           greatest protection.\n\n        \xe2\x80\xa2\t Paying disproportionate attention to one part of a system is likely to result in a\n           false sense of security, not better overall security. For example, encryption by\n           itself does not ensure security. 9\n\n        \xe2\x80\xa2\t No electronic security solution should be considered foolproof.\n\n        \xe2\x80\xa2\t An organization cannot stop an attacker; it can only slow him/her down and\n           buy time to detect and react to the attack.\n\n\n8\n  General Accounting Office, \xe2\x80\x9cInformation Security: Serious Weaknesses Place Critical Federal\n\nOperations and Assets at Risk,\xe2\x80\x9d (GAO/AIMD-98-92), p. 2.\n\n9\n  Encryption is the transformation of plain text into unreadable text in order to protect it.\n\n\n\n                                                   7\n\n\x0c       \xe2\x80\xa2\t The greatest threats are internal, e.g., employees who are disgruntled or\n          simply inattentive to security procedures.\n\n       \xe2\x80\xa2\t Because every security control has a cost, the decision to impose a new\n          control should be based on a careful business analysis of the expected\n          benefits.\n\nIn short, effective security means setting priorities by considering the value of the\ninformation to be protected, the extent to which such information is at risk, and the cost\nof safeguards. According to a major management consulting firm, an organization should\nfirst identify the most valuable informational assets to ensure efficient use of resources,\nemployee support of security methods, and seamless integration of security with an\norganization\xe2\x80\x99s goals. Without such a prioritization, an organization may inadvertently\nspend money and effort protecting low value data at the expense of valuable information.\n\nSome prioritization already occurs at SBA. Officials from the business loan program, for\nexample, stated that they inform the Office of the Chief Information Officer (OCIO) what\ntypes of information can be released to the public. In addition, the Agency\xe2\x80\x99s draft\nrevision of the operating procedure for automated information systems security requires\nsensitivity determinations for all computerized data. Nonetheless, it is unclear to what\nextent program managers, attorneys, and other knowledgeable staff systematically\ncoordinate their priorities to ensure that only the most valuable information receives the\nhighest level of protection. Moreover, as programs change, SBA officials are likely to\nneed to redefine which information is valuable.\n\nExternal Threats\n\nEven with the above in mind, balancing access with security is difficult when some of the\nproblems SBA faces originate outside of the Agency. For example:\n\n           \xe2\x80\xa2\t Because of competitive pressures, few software developers adequately\n              research security problems before bringing products to market, thus\n              increasing the odds of complications later. For example, one prominent\n              technology firm introduced Internet software containing a major security\n              defect that rudimentary research could have detected. Some technologists\n              contend that most network software is designed for maximum utility, with\n              security being an afterthought.\n\n           \xe2\x80\xa2\t Codes can be broken. For example, a private foundation needed only 54\n              hours and less than $250,000 in hardware to crack a messaging encryption\n              standard to which the Federal Government had long pressed industry to\n              limit itself. Moreover, intruders known as hackers sometimes work\n              together from different locations to penetrate information systems.\n              Although encryption techniques continue to improve, so does the\n              sophistication of attacks.\n\n\n\n                                            8\n\n\x0c             \xe2\x80\xa2\t Protecting sensitive data at one\xe2\x80\x99s own site is not enough. An organization\n                must also understand the level of security at the entities with which it\n                conducts business. The other party\xe2\x80\x99s weak link can become the weak link\n                of everyone who deals with it.\n\nUnfortunately, there is currently no clear consensus on how to handle sensitive data.\nSome experts believe that it can be sent over public networks as long as it is encrypted.\nOthers, mindful that any internal network connected to the Internet is accessible to\noutside intruders, believe such data should be kept off networks altogether. Nevertheless,\nsecurity procedures for handling the external environment are available. To establish a\nhigh level of security, SBA separates its public access network from its private internal\nnetwork by firewalls, i.e., combinations of hardware and software placed between two\nnetworks designed to block unauthorized access. Moreover, according to a draft\noperating procedure, the Agency requires that corporate or sensitive data transmitted over\nthe Internet to approved destinations be encrypted.\n\nAnother procedure is to use software \xe2\x80\x9cpatches\xe2\x80\x9d to update an information system\xe2\x80\x99s\nsecurity when a new threat is identified. Despite patches\xe2\x80\x99 usefulness, one Federal\ntechnology official estimated that 70 percent of government network administrators were\nnot applying the latest patches to update their agencies\xe2\x80\x99 electronic security. Moreover,\nthe use of patches has limitations. For example, having security experts break into a\nsystem and then patch the vulnerability can occur too late, thus leaving hackers a step\nahead. Hackers could monitor security patch announcements and then exploit targeted\nmachines before the patches can be installed. There is even the possibility that\ndownloading patches to solve software flaws could harm security because of rogue\norganizations posing as patch vendors. In an interconnected electronic world,\nimpersonating others is not difficult if security is poorly implemented.\n\nInternal Threats\n\nAccording to the Federal Reserve, various security surveys have found that the majority\nof attacks on private networks come from internal sources.10 Others estimate that 80 to\n95 percent of all security incidents result from an insider attack.11 This is particularly\ntroubling because an organization\xe2\x80\x99s personnel, including consultants, are likely to have\naccess to critical systems as well as detailed knowledge of the organization\xe2\x80\x99s practices.\nIn one case, an Air Force staff sergeant used the password of another employee as part of\nhis scheme to embezzle over $435,000.\n\nSometimes an internal threat results from naivete or carelessness instead of malicious\nintent. According to experts, computer users have become too trusting, using the same\n\n10\n   Federal Reserve System, \xe2\x80\x9cSound Practices Guidance for Information Security for Networks\xe2\x80\x9d (paper\npresented on April 23, 1998, at the Bank Administration Institute\xe2\x80\x99s Electronic Banking Security\nConference), p. 9.\n11\n   Marcella, Albert J. Jr., Larry Stone, and William J. Sampias. Electronic Commerce: Control Issues for\nSecuring Virtual Enterprises. Altamonte Springs, FL: The Institute of Internal Auditors, 1998, p. 95.\n\n\n                                                    9\n\n\x0cpasswords to enter both secure and non-secure computer sites, thus making it easier for\nthieves to steal the passwords. Another all-too-common problem is \xe2\x80\x9csocial engineering,\xe2\x80\x9d\nin which a hacker tricks someone inside an organization into revealing secret codes. The\nintruder may pose as a new employee or help desk person to obtain passwords or other\nconfidential employee data that can be used to break into an information system.\n\nAccordingly, the most important lesson from security experts is that if an organization\nignores the human element, even the most sophisticated encryption, firewalls, and PKI\nprotections may be rendered useless. Making the necessary adjustments in the\norganizational culture is at least as important as selecting the right technology. It is\ncritical, therefore, for management to (1) identify the information requiring the highest\nlevel of protection, particularly in terms of the risk of loss relative to the cost of\nsafeguards, and (2) ensure that proper internal security practices are fully understood and\nclosely followed.\n\nSecurity on the Internet\n\nThe Internet presents special security problems. Because the method of sending e-mail\nover the Internet was not designed with security in mind, \xe2\x80\x9csniffing\xe2\x80\x9d software can\nintercept transmitted data, enabling intruders to steal user identification, unencrypted\npasswords, and entire messages and files. Such intruders can then masquerade as the\nauthorized users to commit fraud and other crimes. As Internet browsers become more\ncomplex and powerful, software flaws are more likely, resulting in potentially greater\nvulnerabilities.\n\nThere are several ways to combat these vulnerabilities and protect Internet transmissions.\nAs mentioned earlier, software patches can correct known security deficiencies, such as a\nwidely reported defect in a Microsoft office suite that exposed passwords and other\nsensitive data originating from users\xe2\x80\x99 computers. Information sent over the Internet can\nbe encrypted or scrambled, thus rendering it useless to those intercepting it. Sections of a\nnetwork can be separated, e.g., Internet access operations can be on a system different\nfrom the agency\xe2\x80\x99s main computer system.\n\nNonetheless, protecting any organization from outside electronic attack requires that Web\nservers, firewalls, and encryption/authentication systems interact in a smooth and precise\nmanner. Software systems are often large and complex, and a single flaw can give an\nattacker entry into an otherwise secure system. Accordingly, the lingering public\nuncertainties about the Internet are hastening the implementation of the Public Key\nInfrastructure, whose underlying technology has been developed by private industry and\nis being marketed and used commercially. In addition, over 20 Federal pilot projects are\ntesting various aspects of the technology. The major challenge is for the infrastructure to\nsatisfy the needs of vastly different users.\n\nPublic Key Infrastructure (PKI): The Basics\n\nPKI is designed to ensure secure transactions on open networks such as the Internet. To\n\n\n                                             10\n\n\x0caddress security concerns, PKI employs a data item called a digital signature, which is\nused with a digitally encoded message to prove the sender\xe2\x80\x99s identity and the message\xe2\x80\x99s\nintegrity. It is important to note that a digital signature is not simply a digitized\nhandwritten signature, a person\xe2\x80\x99s typed name, or a personal identification number.\n\nTo ensure the digital signature\xe2\x80\x99s uniqueness, the sender and recipient each have a public\n(published) key and a private (secret) key, i.e., a digital representation of a very large\nnumber. When a sender uses the private key to sign an electronic message digitally,\nanyone knowing the sender\xe2\x80\x99s corresponding public key can verify the sender\xe2\x80\x99s signature.\n\nTo enable the keys to work, PKI requires a trusted third party\xe2\x80\x94known as a certification,\nor certificate, authority (CA)\xe2\x80\x94to vouch for the sender\xe2\x80\x99s identity. The CA issues a\ndigitally signed message\xe2\x80\x94called a digital certificate\xe2\x80\x94binding the sender\xe2\x80\x99s identity to\nhis/her public key. The certificate is maintained by the CA and signed using the CA\xe2\x80\x99s\nprivate key.\n\nOf course, someone needs to certify an individual\xe2\x80\x99s identity to the CA so that the CA\nmay issue a digital certificate in the first place. An entity called a registration authority\nperforms this function; it may or may not be part of the CA.\n\nIn some ways, a digital certificate resembles a credit card or driver\xe2\x80\x99s license\xe2\x80\x94an item\nissued by an organization having information about the user and able to verify the item\xe2\x80\x99s\nauthenticity. However, as in the case of these two items, PKI needs to ensure that\ncertificates have a limited lifetime and can be revoked.\n\nThe practical use of digital certificates is moving closer to reality. Recently three leading\nsecurity technology firms collaborated with banks in a pilot project to establish the\ninteroperability of participating banks\xe2\x80\x99 digital signature technologies. In 1999, a global\nbank became the first such institution to successfully provide digital certificates to its\ncorporate clients. SBA has served on the multi-agency steering committee promoting\nPKI within the Federal Government. Internally, the Agency has begun defining the\nrequirements for implementing digital signature technology. However, implementation\nin any Federal agency will require resolving a number of difficult issues, including those\npresented below.\n\nPKI Accountability and SBA\n\nAuthenticating identity traditionally has been an inherently governmental function; PKI,\nhowever, will rely largely on security solutions developed by private industry.\nAccordingly, it will depend on honest and competent CAs and registration authorities. A\nvariety of organizations are preparing to become CAs, including the American Bankers\nAssociation (ABA), which in 1998 announced plans to become a CA for the financial\nservices industry. The ABA also encouraged banks and other financial services\ncompanies to become CAs, whether solely for their own customers or to provide services\nto external entities.\n\n\n\n                                             11\n\n\x0cThe potential for many entities to become CAs raises a number of serious accountability\nquestions. For PKI to work, a CA must be recognized as trustworthy. In theory, a drug\ncartel could operate a CA because currently any organization can issue digital\ncertificates. Even with a legitimate CA, there is the issue of how reliant parties such as\nSBA could ensure that the CA was being diligent. For example, the Agency would need\nto be confident that a CA would cancel digital certificates whenever employees left SBA\nand, conversely, that all cancelled digital certificates would be kept available for\naccountability, evidentiary, and documentation purposes. Finally, there are no guarantees\nthat CAs used by other parties will perform honestly or efficiently.\n\nPerhaps the most fundamental accountability problem is not the security of information\nbut, instead, the veracity of the information itself. What assurance does a CA or\nregistration authority have that the underlying personal information upon which digital\ncertificates are based is accurate? CAs and/or registration authorities might rely on\ndatabases whose information has not been verified. Moreover, the recent increase in\nidentity fraud suggests that such crimes may not require great sophistication on the\ncriminal\xe2\x80\x99s part. Thus, organizations such as SBA face the irony of advanced technology\nbeing used to protect false information\xe2\x80\x94the electronic equivalent of a bank safeguarding\ncounterfeit currency.\n\nGiven the uncertainties about CAs, registration authorities, the information backing\ndigital certificates, other organizations\xe2\x80\x99 level of security, and, as discussed later, the\nevolution of electronic commerce law, how can SBA protect its interests? Major\ninsurance companies grappling with such uncertainties believe that contractual\nagreements among parties become more important as electronic commerce evolves.\nThey suggest that the reliant organizations have a legal contract that clearly identifies the\ntrusted third party\xe2\x80\x99s responsibilities and liabilities.\n\nAnother accountability issue is whether a digital certificate should contain so much\ninformation that it becomes a universal identifier similar to a Social Security number. If\nso, what would be the trade-off between administrative convenience and the vulnerability\nposed by criminals needing only one security breach to obtain a great deal of sensitive\ninformation? And would the CA and/or SBA be held liable for the consequences of such\na breach?\n\nPKI and Privacy\n\nPrivacy is of paramount importance in establishing a trusted and secure paperless\nenvironment. Without adequate protections, the enormous benefits of electronic\ncommerce may not be fully realized due to many potential users\xe2\x80\x99 natural reluctance to\nrisk their privacy and organizations\xe2\x80\x99 fear of lawsuits stemming from the inadvertent\nrelease of confidential information. Although technology has changed dramatically,\nfundamental principles of privacy remain the same.\n\n       \xe2\x80\xa2\t      Individuals must be able to\n\n               --find out what information is held about them,\n\n\n\n                                             12\n\n\x0c               --prevent personal information from being used illegally, and\n               --correct erroneous information.\n\n       \xe2\x80\xa2\t      Organizations receiving personal data must\n\n               --assure the reliability of the data for its intended use, and\n\n               --take precautions to prevent misuse of the data.\n\n\nAn evolving Federal effort likely to affect SBA\xe2\x80\x99s handling of PKI privacy issues is the\nGeneral Services Administration\xe2\x80\x99s (GSA) Access Certificates for Electronic Services\n(ACES) initiative. According to GSA, ACES digital certificates are not intended to serve\nas a single certificate for all government purposes but will support agencies\xe2\x80\x99 activities\nthat require identification of a person. Nonetheless, by delivering public key certificates\nto the public, the ACES initiative seeks to evaluate the feasibility of a uniform identity\ncertificate to promote interoperability among agencies.\n\nAccordingly, privacy advocates worry that ACES would have only a few large\nregistration authorities with similar core identifier elements. To avoid centralization of\ndata about an individual\xe2\x80\x99s identity and activities, these advocates prefer many diverse\nregistration authorities. In addition to such decentralization, they argue for multiple\ncertificates to cover different purposes and information practices, ensuring that the\ninformation collected is limited to the amount needed to complete a transaction.\n\nIt is not clear whether ACES will become the digital standard for the Federal Government\nor whether new legislation will restrict the contents of digital certificates. If neither\noccurs, agencies such as SBA may have to choose between two types of digital\ncertificates. The first would provide complete information about an individual and offer\nadministrative simplicity. Unfortunately, it could create the public appearance\xe2\x80\x94if not\nthe reality\xe2\x80\x94of too much information vulnerable to internal theft or misuse. The other\ntype would be limited to the information necessary to complete specific types of\ntransactions, thus minimizing the amount of information at risk. However, this could also\nimpose substantial administrative complications in maintaining different certificates for\ndifferent purposes.\n\nInternal Security Policies and Procedures\n\nAccording to both private and public sector officials, choosing and installing new\ntechnology are the easy parts of enhancing computer security. Establishing and enforcing\nappropriate policies and procedures are by far the most difficult aspects.\n\nSBA recently drafted a revision of its Standard Operating Procedure (SOP) for\ninformation security that includes the following:\n\n   \xe2\x80\xa2\t Protecting passwords by administrative, physical, and technical security controls\n      to prevent unauthorized disclosure or misuse, such as changing employees\xe2\x80\x99\n      passwords at least once every six months.\n\n\n\n                                              13\n\n\x0c   \xe2\x80\xa2\t Determining the sensitivity of data contained in automated information systems\n      on a regular basis.\n\n   \xe2\x80\xa2\t Keeping sensitive information relating to businesses or individuals doing business\n      with SBA off its Web servers.\n\nNonetheless, private sector managers noted that simply establishing policies and\nprocedures is not enough. Employees need to fully understand their responsibilities and\nthe penalties for not carrying out those responsibilities. For example, a major insurance\ncompany ensures that all security policies\xe2\x80\x94such as not sharing passwords\xe2\x80\x94are clearly\ndefined and widely disseminated. A major bank ensures that each employee has at least\ntwo passwords that are changed every 30 days. It also informs its employees that sharing\na password will result in termination of employment and that employee transactions will\nbe monitored to ensure that security procedures are followed.\n\nUnfortunately, PKI presents special problems. For example, what happens if an\nemployee loses his/her private digital signature key? Unlike the case of credit cards,\nthere is no Federal law capping liability for such a loss. And what happens if someone\nelse uses the digital signature key? Some SBA officials believe that the employee issued\nthe key must be held responsible because he/she was entrusted with it in the first place.\nOthers believe strict penalties would not be enforceable because the circumstance would\nresemble the limited liability of a lost credit card. Regardless of the extent to which\nemployees are held responsible for their actions, the Agency will need the ability to\nrevoke keys quickly after a loss or security breach.\n\nAccording to the multi-agency steering committee promoting PKI, agencies need to help\nestablish a liability structure that balances the interests of users and service providers\nsuch as CAs. However, due in part to the lack of case law in this area, the committee\ndoes not recommend a specific liability policy. Although some security experts believe\nthat the issue of liability may be solved by two-device authentication, i.e., any\ncombination of passwords, digital certificates, hardware tokens, \xe2\x80\x9csmart\xe2\x80\x9d cards, or\nbiometric devices (such as fingerprint reading), this still does not address the employee\xe2\x80\x99s\nresponsibility if both devices are lost.\n\nFinally, organizations can overdo security procedures, resulting in unintended\nconsequences. For example, if employees perceive that complex security procedures are\ntoo onerous and unnecessarily restrict their work, they may simply circumvent or ignore\nthem.\n\n\n                               RECOMMENDATIONS\n\nRecommendation 1. To conserve scarce Agency resources, the OIG recommends\nthat the Chief Operating Officer require that each program, in consultation with the\nOffice of the Chief Information Officer and the Office of General Counsel, identify\nthe types of data requiring the highest level of security and privacy safeguards.\n\n\n                                            14\n\n\x0cRecommendation 2. To protect the Agency\xe2\x80\x99s interests, the OIG recommends that\nthe Office of General Counsel, in consultation with the Office of the Chief\nInformation Officer, develop contracts applicable to any certification authority or\nregistration authority the Agency might use in a Public Key Infrastructure. Such\ncontracts would identify-\xc2\xad\n\n   \xe2\x80\xa2\t Each certification authority\xe2\x80\x99s and/or registration authority\xe2\x80\x99s transaction and\n      security responsibilities,\n   \xe2\x80\xa2\t Each certification authority\xe2\x80\x99s and/or registration authority\xe2\x80\x99s liability for\n      failure to complete an electronic transaction, and\n   \xe2\x80\xa2\t Each party\xe2\x80\x99s recourse if it performs a transaction based on the other\xe2\x80\x99s false\n      or inaccurate information.\n\nRecommendation 3. To allay privacy concerns and limit the exposure of\nconfidential information, the OIG recommends that the Office of the Chief\nInformation Officer, in consultation with the Office of General Counsel, limit future\ndigital certificates to the minimum information necessary to complete Agency\nelectronic transactions.\n\nRecommendation 4. To help minimize the likelihood of internal security breaches in\nan increasingly paperless environment, the OIG recommends that the Office of the\nChief Information Officer and the Office of General Counsel jointly develop a\nconcise notice for periodic display on computer screens to remind Agency employees\nand contractors of-\xc2\xad\n\n   \xe2\x80\xa2\t   Their basic information security responsibilities,\n   \xe2\x80\xa2\t   The penalties for failure to carry out those responsibilities, and\n   \xe2\x80\xa2\t   The fact that using Agency information systems constitutes acceptance of\n        those responsibilities and penalties as well as consent to searches by law\n        enforcement organizations.\n\n\n\n\n                                         15\n\n\x0c16\n\n\x0c                            LEGAL ISSUES AFFECTING SBA\n\n\n\nDesirable Legal Characteristics of a Paperless Environment\n\nAny organization planning to establish a paperless office environment should first\naddress a number of legal issues, including the authentication of documents and\ntransactions, the possession of a documentable record trail, the admissibility of evidence\nregarding digital signatures, and the storage of electronic information. Fortunately, there\nare outside organizations that can provide some guidance on creating the necessary legal\ninfrastructure to make a successful transition to a paperless office.\n\nThe National Conference of Commissioners on Uniform State Laws, which is responsible\nfor developing laws on financial payments and other paper-based commerce, is leading\nthe effort to create a statute for electronic commerce. It is attempting to obtain\nratification by all states of its draft bill, the Uniform Electronic Transactions Act, by the\nyear 2000. The intent is to establish standards that will prevent conflicting legal rulings\namong different states. More specifically, the Act seeks to achieve the following:\n\n     a) Facilitate and promote commerce and governmental transactions by validating\n         and authorizing the use of electronic records and electronic signatures.\n     b) Eliminate barriers to electronic commerce and governmental transactions\n         resulting from uncertainties relating to writing and signature requirements.\n     c) Simplify, clarify and modernize the law governing commerce and governmental\n         transactions through the use of electronic means.\n     d) Permit the continued expansion of commercial and governmental electronic\n         practices through custom, usage, and agreement of the parties.\n     e)\t Promote uniformity of the law among the states (and worldwide) relating to the\n         use of electronic and similar technological means of effecting and performing\n         commercial and governmental transactions.\n     f) Promote public confidence in the validity, integrity, and reliability of electronic\n         commerce and governmental transactions.\n     g) Promote the development of the legal and business infrastructure necessary to\n         implement electronic commerce and governmental transactions.12\n\nIn short, the draft Uniform Electronic Transactions Act provides procedures to enable\nelectronic commerce transactions. To ensure the uniform acceptance of electronic\ntransactions and communications, the Act\xe2\x80\x99s scope includes\n\n     a)   Attribution of an electronic record to a person,\n\n     b)   Accuracy of information,\n\n     c)   Retention of electronic records,\n\n     d)   Legal recognition of electronic signatures,\n\n     e)   Formation of contracts for electronic records,\n\n\n12\n  National Conference Of Commissioners On Uniform State Laws, \xe2\x80\x9cUniform Electronic Transactions Act\n(Draft),\xe2\x80\x9d January 29, 1999, p. 17.\n\n\n                                                17\n\n\x0c     f) Admissibility in evidence, and\n     g) Interoperability capability.13\n\nCurrent Status Of Relevant Laws And Regulations\n\nThe 105th Congress passed a substantial amount of electronic commerce-related\nlegislation, including a bill recognizing electronic signatures, and the current session may\nsee the introduction of additional bills addressing encryption and consumer privacy and\nprotection.\n\nThe Government Paperwork Elimination Act of 1998 requires Federal agencies to\nrecognize electronic signatures and make Federal forms available online during the five-\nyear period beginning in 1998.14 The public will be able to use the Internet to access\nFederal forms and electronically submit them to Federal agencies using electronic\nsignatures. The law enables Federal agencies to use electronic signatures and ensures\nthat such signatures will not be denied the same acceptability and validity as written\nsignatures.\n\nThe Act\xe2\x80\x99s recognition of electronic signatures appears consistent with an earlier\nComptroller General\xe2\x80\x99s ruling on the issue. In 1991, the Comptroller General declared\nthat Federal agencies could create valid obligations electronically.15 Despite the\nComptroller General\xe2\x80\x99s ruling and the passage of the Government Paperwork Elimination\nAct, some businesses have been cautious in adopting the use of electronic signatures due\nto the lack of legal precedent. Nevertheless, SBA is moving toward meeting the Act\xe2\x80\x99s\nprovisions by defining the requirements for implementing electronic signature\ntechnology.\n\nEven though the above legislation is in place, at present the legal authority for disposition\nof certain types of electronic records is in a state of flux. In 1997, a U.S. District Court\njudge declared \xe2\x80\x9cnull and void\xe2\x80\x9d the National Archives and Records Administration\xe2\x80\x99s\n(NARA) edition of General Records Schedule (GRS) 20, Electronic Records, which\nprovided guidelines for the disposition of certain types of electronic records.16 The\njudge\xe2\x80\x99s order, presently on appeal, was in response to a lawsuit filed by Public Citizen\nand others challenging the Federal Government\xe2\x80\x99s ability to destroy records. Currently an\ninformation technology disposition schedule is being developed to replace GRS 20.\n\nIn November 1998, NARA generally endorsed a standard for electronic records\nmanagement developed by the Department of Defense (DoD).17 In its endorsement,\n\n13\n   National Conference of Commissioners on Uniform State Laws, \xe2\x80\x9cUniform Electronic Transactions Act\n\n(Draft),\xe2\x80\x9d January 29, 1999, pp. 17-49.\n\n14\n   Government Paperwork Elimination Act of 1998.\n\n15\n   Comptroller General Decision B-245714, issued December 13, 1991 (71 C.G. 109), also available in\n\n1991 WL 315248 (C.G.)\n\n16\n   National Archives and Records Administration News Release, \xe2\x80\x9cCourt Enables National Archives to\n\nProceed with Electronic Records Plans,\xe2\x80\x9d September 30, 1998, pp. 1-2.\n\n17\n   National Archives and Records Administration News Release, \xe2\x80\x9cNational Archives Endorses Defense\n\nDepartment Standard as Basis for Effective Electronic Records Management,\xe2\x80\x9d November 19, 1998, p. 1-2.\n\n\n\n                                                  18\n\n\x0cNARA declared that DoD\xe2\x80\x99s standard complied with the requirements mandated by the\nFederal Records Act for the management of electronic records. This standard provides a\nbaseline for Federal agencies by specifying that records management software perform\nthe following functions:\n\n     -\t Assign a unique, computer-generated identifier to each record.\n     -\t Treat electronic mail messages that have been filed as records, including\n        attachments, as any other record.\n     -\t Provide for viewing, saving, and printing lists of records (regardless of media)\n        based on record profiles.\n     -\t Identify records that can be sent to a repository for storage.\n     -\t Notify authorized individuals when a record is eligible for destruction and destroy\n        it after their approval.18\n\nFinally, the Computer Fraud and Abuse Act and the general fraud statute (Title 18, USC)\ncover the misuse of computer systems through either negligence or criminal intent.\nHowever, according to SBA\xe2\x80\x99s legal staff, there is nothing specific in the Agency\xe2\x80\x99s\nregulations that address this type of crime, although SBA is taking steps to govern\nInternet use by Agency employees.\n\nSBA\xe2\x80\x99s Internet Policy\n\nTo help prevent misuse of its data and computer systems, SBA issued an Internet/Intranet\npolicy for Agency employees, effective October 28, 1998. According to the policy\xe2\x80\x99s\nguidelines-\xc2\xad\n\n        \xe2\x80\xa2\t Already-existing SBA policies, which apply to employee conduct in other\n           circumstances, may also apply to conduct on the Internet. This includes,\n           but is not limited to, policies on intellectual property protection, privacy,\n           misuse of SBA assets or resources, sexual harassment, information and\n           data security, and confidentiality.\n\n        \xe2\x80\xa2\t Information on SBA\xe2\x80\x99s Internet service is an SBA record, which may be\n           disclosed under the Freedom of Information Act (FOIA). Disclosure\n           determinations on information, including possibly withholding confidential\n           and proprietary information, will be in accordance with SBA\xe2\x80\x99s disclosure\n           policy and FOIA. This information may be protected by the Privacy Act,\n           which generally prohibits disclosure of information kept in any SBA Privacy\n           Act system of records unless FOIA requires disclosure.19\n\n\n\n\n18\n   Department of Defense, \xe2\x80\x9cDesign Criteria Standard for Electronic Records Management Software\n\nApplications (DoD-5015.2-STD),\xe2\x80\x9d November 1997, pp. 7-17.\n\n(See http://jitc-emh.army.mil/recmgt/#standard)\n\n19\n   Small Business Administration Policy Notice, \xe2\x80\x9cSBA Internet/Intranet Policy,\xe2\x80\x9d October 28, 1998, pp. 1-2.\n\n\n\n                                                    19\n\n\x0cUnresolved Legal Issues Facing SBA\n\nThe following external issues are likely to have a bearing on SBA\xe2\x80\x99s use of electronic\ncommerce.\n\nInvestigations and Privacy. A warrant to search a suspect\xe2\x80\x99s computer files may require\nthe government to obtain access to computer files and information, e.g., the transactional\nhabits of Web users, of individuals who are not targets of the investigation. Laws such as\nthe Electronic Communications Privacy Act specify how to conduct such searches.\nMoreover, to assist Federal agents and attorneys with this emerging area of the law, the\nDepartment of Justice issued guidelines for searching and seizing computers in 1994 and\nsupplemented the guidelines in 1997 and 1999. Complicating matters is the fact that\nprivacy principles from the 1970s remain prevalent today even though the technology has\ncreated additional privacy dilemmas. Although applicable to the analysis of electronic\ninformation, the Privacy Act of 1974 is based on a paper records system. Future\nlegislation may need to further clarify privacy rights and responsibilities in an electronic\nenvironment.\n\nBalancing Security with Access to Information. Organizations must ensure that\nelectronic information is reliable and secure. According to a 1997 report by the\nPresident\xe2\x80\x99s Commission on Critical Infrastructure Protection, the nation\xe2\x80\x99s banking and\nfinance infrastructure is vulnerable to attacks by criminals, inside and outside of\norganizations, who gain unauthorized access to computer systems and data. To protect\nproprietary and confidential records, organizations such as SBA can use encryption to\nmake important data unreadable without a decryption key. However, law enforcement\nofficials fear that criminals will use the same encryption technology to commit crimes\nand avoid detection.\n\nThe Type of Identification Needed to Determine Whether the Parties to an Electronic\nTransaction Are Legitimate. As referred to elsewhere in this report, there are concerns as\nto how many identifiers, e.g., digital certificates, should be used to authenticate identity.\nIf an individual only has one identifier, for example, the system might be easily\ncompromised if that identifier were lost or stolen. On the other hand, people are likely to\nresist electronic commerce initiatives if they are required to have separate identifiers for\nmany different purposes such as banking, payment of taxes, or small business assistance.\nWhether one identifier or several identifiers are used, the parties in an electronic\ntransaction must be able to authenticate identity to ensure the reliability and accuracy of\nelectronic transactions.\n\nElectronic Records as Evidence in a Court of Law. Computer communications, such as\ne-mail and electronic transactions, are creating a new form of evidence, with all the\nattendant problems in a court of law, e.g., personal responsibility for content, privacy,\nand evidentiary concerns. In addition to doubts about electronic communications, there\nare conflicting views concerning the validity of electronic copies of paper documents as\nevidence. Nevertheless, legal experts have expressed confidence that, as electronic\n\n\n                                             20\n\n\x0cevidence is increasingly used in court, judges are likely to become more willing to accept\nit as long as it is deemed reliable from a technical standpoint, e.g., it has not been\ntampered with.\n\nStorage of Electronic Records. SBA\xe2\x80\x99s responsibilities regarding the storage of\ninformation are the same in a paperless office as they are in a paper-based office\xe2\x80\x94the\nAgency must document and store official information in an efficient and secure manner.\nOne problem is determining what constitutes official electronic information in, for\nexample, e-mails. Another problem is how to store long-term electronic records as the\ntechnology changes; today\xe2\x80\x99s storage medium could be obsolete tomorrow, rendering\nelectronic documents difficult to retrieve or, at worst, unusable. In such a situation, SBA\ncould be held liable to the same extent as if Agency records were lost or destroyed.\n\nIn conclusion, many organizations have been cautious in embracing electronic commerce\npartly because they are not yet satisfied that electronic records will be secure, available,\nlegally authentic, and binding in court. This is likely to continue until laws, regulations,\nand records management practices catch up with the technology and become case-tested\nin the judicial system.\n\nNecessity of Contractual Protections for SBA\xe2\x80\x99s Use of Electronic Commerce\n\nAt present, there is a measure of confusion as to what type of contract is needed to\nconduct business in a paperless office environment. States have generally been the\nlaboratories for electronic commerce laws and, as a result, non-uniform standards are\nbeing developed. For example, Florida, Minnesota, Utah, and Washington have enacted\ncomprehensive legislation to cover a wide range of issues regarding the use of digital\nsignatures in electronic commerce. In contrast, Arizona, California, Indiana, and North\nDakota have essentially limited their legislation to the use of digital signatures for\ndocuments submitted electronically to the state government. With each state enacting its\nown law, significant confusion can occur concerning the allocation of liability for the\nparties involved in interstate electronic transactions.\n\nUntil uniform standards and rules are developed to cover electronic transactions, parties\nto such transactions will have to rely on the language in a contract for an understanding\nof the legal responsibilities governing their respective actions. Some computer law\nexperts recommend that the parties to a contract ensure that provisions specifically\naddressing electronic transactions are fully understood and included. At a minimum, a\ncontract should identify (a) a means for authenticating the identity of the contracting\nparties; (b) a legally recognized form of signature; and (c) secure, reliable commercial\nrecords.20\n\n20\n Sutin, Alan. Roadblocks Stall Electronic Commerce. New York Law Journal, July 13, 1998,\nwww.nylj.com.\n\n\n\n\n                                                 21\n\n\x0c                             RECOMMENDATION\n\n\nRecommendation 5: The OIG recommends that the Office of General Counsel, in\nconsultation with program managers and the Office of the Chief Information\nOfficer, ensure that contractual agreements and related modifications with resource\npartners and small businesses using electronic means to conduct business with\nSBA-\xc2\xad\n\n   \xe2\x80\xa2\t Define what constitutes a valid electronic identity and signature for each\n      party.\n   \xe2\x80\xa2\t Hold each party responsible for the accuracy of the electronic information it\n      transmits.\n   \xe2\x80\xa2\t Define each party\xe2\x80\x99s recourse if the other fails to carry out any part of the\n      agreement.\n\n\n\n\n                                        22\n\n\x0c                  ORGANIZATIONAL ISSUES AFFECTING SBA\n\n\n\nIn the words of one SBA manager, the purpose of technology for any organization is \xe2\x80\x9cto\nget the right information to the right person at the right time in the right place and in the\nright format.\xe2\x80\x9d Reaching that ideal, however, will require more than simply linking\ncomputers. The experiences of other organizations reveal several important lessons-\nlearned that may benefit SBA programs as they move toward a paperless office\nenvironment. In particular, there are three steps that organizations must take at the start:\n\n   1.\t Decide which work processes should be paperless based on solid business\n       analysis, rather than simply on the availability of advanced technology.\n\n   2.\t Strive to have work processes and electronic systems operate seamlessly by\n       integrating databases, hardware, and software programs that currently operate\n       independently of one another.\n\n   3.\t Recognize that human factors are at least as important as technology in\n       implementing paperless business solutions.\n\nBusiness Analysis\n\nAn organization needs to ensure that implementing a paperless environment makes good\nbusiness sense. This means first examining business functions to determine (1) whether\nthey need to be performed in the first place and (2) whether any changes to improve\nbusiness operations lend themselves to technological applications. Just as technology\nalone should not be the driving force behind change, an organization should not expect to\nmerely apply new technologies or strategies to old business processes.\n\nInstead, any application of paperless office technology should be preceded by a strategic\nassessment of how the application supports the organization\xe2\x80\x99s plans for product and\nservice delivery. Decision-makers need to carefully consider the ways people work and\ninteract and not just rethink the business processes. An assessment of how underlying\nwork processes can be influenced positively by going paperless should then follow. A\ngood example can be found in SBA\xe2\x80\x99s Office of Capital Access, which has undertaken the\nreengineering of work processes as part of its broader loan modernization effort.\n\nOfficials at insurance companies we interviewed also advocated a cautious, \xe2\x80\x9cgo slow\xe2\x80\x9d\napproach to implementing technological solutions. Moreover, some of these officials\nbelieve that for certain applications the best alternative may be to continue use of paper-\nbased transactions.\n\nTo make the necessary assessments, there was a consensus among the many SBA\nofficials we interviewed that a working group of Agency managers should be appointed\nby the Administrator to make the necessary assessments and to oversee prospective\nconversions to a paperless environment. The head of the group\xe2\x80\x94ideally the Chief\n\n\n                                             23\n\n\x0cOperating Officer\xe2\x80\x94could coordinate input from other members and serve as the leader in\nplanning paperless office initiatives. Although Central Office officials would likely\ndominate the group, field staff representation would provide a nationwide perspective.\n\nSuch a central coordination group would undertake the business analyses for paperless\nproposals, including any new Internet presence planned by an SBA office. The group\nwould ensure that obsolete work processes are not automated, that electronic initiatives\nare compatible inside and outside the Agency, and that no attempts to create electronic\ninitiatives go forward without giving full consideration to their effect on the rest of SBA\nand its partners.\n\nThe paperless proposals that passed this screening would then undergo the detailed policy\nand cost evaluations performed by SBA\xe2\x80\x99s existing Business Technology Investment\nCouncil (BTIC). BTIC thus could be assured that management had considered work\nprocesses before trying to buy technology, and the Agency could avoid fragmented\nimplementation of electronic initiatives.\n\nAs noted earlier, conversion to a paperless environment can be expensive, with benefits\ndifficult to quantify, particularly if an organization attempts to handle everything itself.\nHowever, a major technology firm estimates that it could establish a digital signature\nenvironment at SBA and act as a CA\xe2\x80\x94initially with preferred lenders\xe2\x80\x94at a cost of\nbetween $75,000 and $100,000. This would include creation of Web pages, provision of\nseveral thousand digital certificates, and training of some SBA staff who in turn could\ntrain others. After the first year of operation, the annual ongoing cost for maintaining\ndirectories and browsers is estimated at $30,000. In addition, SBA would have internal\nexpenses such as validating employee and resource partner identities, employee training,\nand possible enhanced security. Offsetting the costs are potential\xe2\x80\x94and difficult to\nmeasure\xe2\x80\x94savings in paperwork processing, reduced staff time, and consolidated\nprocesses.\n\nWork Processes and Information Systems\n\nAn important need for organizations making the transition to a paperless environment is\nthe smooth integration of their disparate single-purpose databases and their hardware and\nsoftware platforms. The multiple databases often found in large organizations need to be\nintegrated to ensure that personnel have access to data that needs to be shared.\nOtherwise, staff may be forced to rely on proprietary \xe2\x80\x9cstovepipe\xe2\x80\x9d databases that separate\nproducts or programs from each other, create unnecessary bottlenecks, and make data\nmanagement more complex and costly.\n\nThe experience of a major global bank provides an instructive example. The bank found\nthat its old way of doing business meant that each product in every country it served\noperated with virtual autonomy, making it difficult to access other products of the bank\nfrom around the world. This was expensive and did not provide customers with the\ncustomization to meet their needs. Also, the operation in each country and the related\nproducts employed a model that banks have used for years: a front office (the branch\n\n\n                                             24\n\n\x0cnetwork and sales), a middle office (customer service and loan approvals), and a back\noffice (statement preparation, loan servicing, and payments processing). Each office\nfunctioned independently.\n\nThese disparate operations began to disappear as the bank developed a standardized\nglobal technology platform and integrated the front, middle, and back offices. The bank\nalso adopted an open architecture, adding system flexibility as the offices consolidated.\nThis will enable the bank to reduce from 50 to 10 the number of data centers needed to\nsupport its business.\n\nAs in the case of the bank, SBA officials recognize that maintaining dissimilar hardware\nand software programs within the Agency can create interoperability problems across\nprograms and functional areas. Isolated pockets of automation and different systems for\ndifferent programs tend to separate departments and prevent the linking of SBA products\nand services to best meet customer needs. Some offices in the Agency have recognized\nthis problem and proposed solutions. An OCIO report acknowledged the importance of\nintegrating separate databases, hardware, and software platforms.\n\n        The number one rule of data management is that data is a corporate\n        resource. . . . The creation of enterprise databases, shared by all and\n        owned by none, requires a fundamental shift. . . . Making the shift to an\n        enterprise data environment requires integrated methodologies,\n        adherence by all to rigorous methods and standards and a strong data\n        management function with agency-wide influence. . . . The importance\n        of enterprise data cannot be over emphasized.21\n\nSimilarly, officials in SBA\xe2\x80\x99s Office of the Chief Financial Officer have recognized the\nimportance of an integrated financial management system.\n\n        We envision a group of user-friendly systems that have the same \xe2\x80\x9clook-and\xc2\xad\n        feel,\xe2\x80\x9d contain standardized and accurate information, and communicate\n        electronically in order to enhance the financial and programmatic\n        management capacities of the Agency.22\n\nAn example of an initiative toward this end is SBA\xe2\x80\x99s Digital Signature Technology\nPolicy and Oversight Committee, which seeks to develop a common electronic signature\narchitecture for the entire Agency. Similar Agency-wide approaches can help integrate\nstovepipe databases, hardware and software platforms.\n\n\n\n\n21\n   Small Business Administration, Office of the Chief Information Officer, Strategic Information\n\nTechnology Vision, October 1998, p. 6.\n\n22\n   Small Business Administration, Office of the Chief Financial Officer, Financial Systems Vision,\n\nNovember 1998, p. 12.\n\n\n\n                                                     25\n\n\x0cHuman Factors\n\nThe third, and perhaps most important, organizational issue to be addressed before the\nimplementation of paperless office initiatives is the recognition of human factors that, if\nleft unattended, can bring a halt to the most elegant or technologically sophisticated\nsolutions. Our research found that while technological innovations continue to overcome\ntechnical systems problems, organizations often underestimate the cultural and human\nobstacles to success in the paperless office. As one SBA official noted, the \xe2\x80\x9clow-tech\nissues can scuttle high-tech solutions,\xe2\x80\x9d meaning that failing to address the more basic\nhuman issues, e.g., resistance to change, inattention to security procedures, or fear of job\nloss, can prevent the successful implementation of high-tech solutions. Moreover, for\npaperless office initiatives to be embraced by any organization, they must be driven by\nthe managers and users, rather than the technical staff. Users need to know that they have\ninput into the initiatives and that their buy-in is critical to the success of the paperless\noffice.\n\nStill, resistance to change is likely, particularly when people have fallen into familiar and\ncomfortable ways of performing their jobs. According to a principal at a firm that\nfollows the document-imaging market, \xe2\x80\x9cYou can\xe2\x80\x99t force a new process and a new\ntechnology on people. That will overwhelm them.\xe2\x80\x9d23 To win support for a new\ntechnology, organizations need to show users how the change can make their jobs more\nproductive and satisfying.\n\nOne example of a paperless initiative from the private sector that benefited both users and\nthe organization is that of a major airline\xe2\x80\x99s maintenance operations division, which\nreplaced an elaborate paper and microfilm-based system with a completely electronic\none. The airline had been using microfilm readers/printers for its mechanics to view and\nprint maintenance reference documents for the airline\xe2\x80\x99s fleet of planes. The primary\nbusiness reason for the electronic conversion was the need to reduce the amount of time\nmechanics took to access the reference data during the repair process. Once\nimplemented, the new electronic system dramatically reduced the number of data-related\nerrors while also reducing the time and effort required by clerical staff to keep records\ncurrent. Anecdotal observation showed that the time it took a mechanic to access\ninformation was reduced on average from 15 minutes to 30 seconds. Mechanics now\nspend less time searching reference manuals and have more time to actually repair planes,\nthus benefiting the mechanics, the airline and, not incidentally, the flying public.\n\nAnother example of a paperless initiative that benefited both users and the organization is\nfrom one of the country\xe2\x80\x99s largest real estate firms, which implemented a specialized\nsoftware package for filling out the forms necessary in real estate transactions. This\nsoftware enables the administrative staff to scan the appropriate forms and complete them\non a personal computer. This allows for easy indexing and retrieval, while increasing the\n\n23\n  Sherman, Erik. Paperless Office Still a Goal, But Reality Remains Elusive. MacWeek Solutions,\nJune 17, 1996, p. 3.\n\n\n                                                  26\n\n\x0cstaff\xe2\x80\x99s efficiency and productivity. Such employees can now devote time to the more\nproductive aspects of transactions, thus benefiting themselves, their firm, and their\ncustomers.\n\nSome officials interviewed noted that the application of technology to the workplace is\noften associated with the loss of jobs. However, this is not always the case, as a major\ninsurance company found when it implemented a paperless initiative. Originally, 120\npeople were targeted for possible layoffs but were instead assigned to other jobs.\nMoreover, as one SBA official has pointed out, new technology can create new jobs as\nolder functions are changed or eliminated. The Internet, for example, has created a need\nfor \xe2\x80\x9ccybrarians,\xe2\x80\x9d people who organize electronic data like librarians. This function did\nnot exist before the application of Internet technology. In short, Agency employees need\nto know that although job functions may change, new technology does not automatically\nmean job loss.\n\nBased on other organizations\xe2\x80\x99 experience, the successful implementation of paperless\noffice initiatives at SBA is likely to be evolutionary rather than revolutionary. And even\nwhen enterprise-wide solutions are chosen, the best option is often for incremental\nimplementation. The Agency has already taken this course with its use of pilot programs\nto test electronic applications, such as with the SBAExpress and LowDoc business loan\nprograms.\n\nWhat specific steps should an organization follow to become paperless? One of the most\nambitious electronic initiatives in the Federal Government is the DoD effort to implement\na paperless contracting process. The blueprint for accomplishing this calls for-\xc2\xad\n\n     \xe2\x80\xa2\t Establishing a senior-level steering group,\n     \xe2\x80\xa2\t Creating incentives for people to exchange information electronically,\n     \xe2\x80\xa2\t Improving coordination and communication across functional areas,\n     \xe2\x80\xa2\t Reviewing and eliminating policies and procedures requiring that information be\n        stored on paper, and\n     \xe2\x80\xa2\t Reviewing statutory requirements for proposed legislative relief from paper\n        creation.24\n\nThese generic steps should be the basis for any organization seeking to carry out\npaperless initiatives.\n\nExamples of Governmental Paperless Office Initiatives\n\nThere are numerous examples of agencies already using paperless office systems to\ndeliver government products or services. Two of the most popular and effective\nelectronic delivery channels for government information and services are public kiosks\nand World Wide Web home pages. SBA has a comprehensive Web site and envisions\n\n24\n  Department of Defense, \xe2\x80\x9cBlue Print for Paper-Free Contracting Process (Revision A),\xe2\x80\x9d\nSeptember 4, 1997, p. 18.\n\n\n                                                   27\n\n\x0cusing self-service kiosks to provide information and technical assistance to small\nbusiness entrepreneurs.\n\nKiosks are well suited for service transactions because private telecommunications\nnetworks have provided their security. They can provide citizens with \xe2\x80\x9cone-stop\nshopping\xe2\x80\x9d for government information and services, particularly when placed in malls,\ngovernment office buildings, and other public locations. Moreover, several agencies can\nutilize and share the cost of a kiosk. Here are two examples of kiosk applications:\n\n   \xe2\x80\xa2\t ServiceOntario, a network of self-service kiosks installed throughout the\n      Canadian province, has enabled residents to obtain key motor vehicle information\n      and services at more convenient times and locations. The program began as a\n      pilot but quickly expanded to over 60 kiosks that now allow citizens to perform\n      such functions as renewal of vehicle registrations, payment of court and parking\n      fines, and ordering of customized license plates. The program has received\n      overwhelming support from the public, with 94 percent of users rating the service\n      \xe2\x80\x9ceasy to use and enjoyable.\xe2\x80\x9d\n\n   \xe2\x80\xa2\t The Colorado Department of Labor has converted eight unemployment offices\n      around the state from traditional counter-based operations to sites supported by\n      computer kiosks. At these locations, citizens can complete applications and\n      search for information directly from the kiosk without having to deal with paper\n      forms. The kiosks provide citizens with easy access to job information as well as\n      expert help. The state, in turn, benefits by minimizing office space and workforce\n      requirements and by gaining \xe2\x80\x9cat the source\xe2\x80\x9d entry of data.\n\nOther examples of government paperless initiatives include the following:\n\n   \xe2\x80\xa2\t DoD is in the process of making its major weapons systems acquisition process\n      completely paperless by 2000.\n\n   \xe2\x80\xa2\t The National Aeronautics and Space Administration\xe2\x80\x99s (NASA) Small Business\n      Innovation Research (SBIR) contracts program is a paperless system that manages\n      35 percent of NASA\xe2\x80\x99s new contracts. It uses encryption to protect companies\xe2\x80\x99\n      proprietary data as those companies exchange information over the Internet with\n      NASA\xe2\x80\x99s field centers.\n\n   \xe2\x80\xa2\t The Internal Revenue Service (IRS) encourages the electronic filing of income tax\n      returns, which it hopes will reach 80 percent of all such returns by 2007. The IRS\n      has found that electronic filing reduces errors, speeds processing time, and\n      provides better security for private information.\n\n   \xe2\x80\xa2\t The Department of the Interior\xe2\x80\x99s Minerals Management Service (MMS) has\n      successfully converted one of its regional public information offices into a\n      paperless office. By using state-of-the-art technology, such as optical imaging\n\n\n\n                                           28\n\n\x0c       and advanced software for electronic retrieval, the majority of traditional paper\n       files have been eliminated, with more than one million pages available\n       electronically. This innovative improvement in office automation has enabled\n       MMS to better meet the demands of nearly 18,000 annual customer requests for\n       public information.\n\n   \xe2\x80\xa2\t \xe2\x80\x9cEmployeeexpress.gov\xe2\x80\x9d is an electronic system that enables Federal employees in\n      some agencies to control processing their own personnel and payroll data without\n      using paper forms. Employees can access the system 24 hours a day to change\n      their Federal and state tax withholding status, arrange for payroll direct deposit,\n      change addresses, and make Thrift Savings Plan open-season transactions via the\n      Web site.\n\nSBA officials envision many potential opportunities for the Agency to automate and\nmake its services user-friendly and more accessible through such paperless initiatives as\nWeb sites and electronic kiosks. For example, in the future, a small business owner may\nbe able to access the SBA Web site and select an on-line course to learn how to keep his\nbusiness competitive. Alternatively, that same small business owner may be able to\nbrowse informational resources at an Agency kiosk at a convenient location any time of\nday.\n\nA Cautionary Tale\n\nAlthough there are many successful paperless office initiatives, a recent experience of the\nSocial Security Administration (SSA) provides a good example of what can go wrong\nwhen such an initiative is implemented too quickly.\n\nIn March 1997, SSA began a national test of an online, interactive version of its Personal\nEarnings and Benefit Estimate Statement (PEBES). The Internet-based PEBES had a\nnumber of personal authenticating elements to help prevent access to PEBES by anyone\nother than the subject. However, after only one month of operation, the online PEBES\nwas suspended following much criticism that its security and privacy protection measures\nwere inadequate.\n\nThe primary problem was that an intruder could access an individual\xe2\x80\x99s record by\nobtaining such personal authentication information as name, Social Security number, date\nof birth, place of birth, and mother\xe2\x80\x99s maiden name. SSA found that the information\nneeded to answer these questions was relatively easy to obtain from non-SSA sources.\n\nOn the advice of experts convened in a series of national public forums, SSA decided to\nmake the service available only to people who have a registered e-mail account, such as\nwith an employer or an Internet service provider. SSA uses the e-mail address to send\nthe requester an activation code that, together with the personal authenticating\ninformation, unlocks an online version of PEBES. If the request is accepted through the\nInternet, SSA returns the information by mail to an address already contained in their\nrecords, providing an additional layer of protection. The entire transaction may\n\n\n                                            29\n\n\x0ceventually be accomplished online, but only after proper security and authentication\nprocedures have been thoroughly tested.\n\nSSA concluded that, although its security efforts were not lacking, the constantly\nchanging nature of the new electronic environment makes a diligent system security and\nenforcement effort vital to any organization instituting electronic applications.\n\n\n                              RECOMMENDATION\n\nRecommendation 6. To ensure that obsolete work processes are not automated and\nthat electronic initiatives are compatible inside and outside of SBA, the OIG\nrecommends that a top-level SBA official with authority over SBA programs, such\nas the Chief Operating Officer, lead a central coordination group of managers, staff,\nand technical experts to-\xc2\xad\n\n   \xe2\x80\xa2\t Identify any major Agency work processes that should be eliminated or\n      performed by outside parties.\n   \xe2\x80\xa2\t Identify processes that are candidates for electronic initiatives.\n   \xe2\x80\xa2\t Refer the electronic initiatives approved by the group to the Business\n      Technology Investment Council for detailed policy and cost evaluation.\n\n\n\n\n                                          30\n\n\x0cCOPIES OF APPENDICES A, B, AND C ARE AVAILABLE UPON REQUEST.\n\n\n\n\n\n                                31\n\n\x0c                                             APPENDIX D\n\n\n                      CONTRIBUTORS TO THIS REPORT\n\n\n\nPhil Neel, Team Leader\nMichael Gaheen, Inspector\nMark Taylor, Inspector\n\n\n\n\n                                   37\n\n\x0c'